Cybersecurity Best Practices — How General Counsel Can Prepare For The Worst

Take note GCs: The question is not if you will have to respond to a cybersecurity incident—the question is when. That was the message from speakers and panelists at the Association of Corporate Counsel’s annual meeting this year.

Indeed, the majority of all U.S. businesses have experienced at least one cybersecurity incident in the last year, with some estimates as high as 80%. And a data breach involving so-called knowledge assets (confidential business information) costs an average of $5.4 million to resolve, up to a maximum of $270 million for the largest breaches.

The good news for GCs is that having a well-designed response plan in place can lower the risk of a breach and greatly minimize the damage if a breach occurs. Some best practices discussed at the ACC meeting, and elsewhere, are worth considering:

Best Practices

  • Cultivate close relationships with IT directors to make it more likely that GCs are contacted in the event of a breach or crisis.
  • Extend the relationships to as many IT employees as possible to overcome the personal responsibility that some employees feel when a breach occurs.
  • Evaluate and routinely measure employee security training levels.
  • Meet with as many relevant departments as possible to assess the specific risks and issues that could arise if/when a breach occurs.
  • Conduct a thorough survey of the data collected by the organization, focusing on employee, consumer, medical, and financial data, and determine if any data does not need to be stored.
  • Critically examine contracts and breach procedures of existing vendors that are privy to sensitive data or have access to internal systems.
  • Perform vendor due diligence before committing to any new contractual relationships and consider requiring vendors to fill out a questionnaire indicating their experience and policies with data breaches, training level of their employees, and general control procedures for sensitive data.
  • For vendors that have access to critical information, consider requiring the vendors to provide independent third-party security assessments or audits.
  • Create a standard data privacy and security addendum that can be attached to vendor contracts (which are usually drafted by vendors) to ensure that the organization’s data is being protected and include risk allocation provisions that apply should the vendor be subject to or lead to a breach.
  • Monitor relationships with vendors to ensure continued compliance with contract provisions, applicable laws, regulations, and industry standards. Further, ensure that once the relationship ends, the vendor destroys or returns company data as appropriate.
  • Document the plan. Create a list of policies and procedures to be followed if there is an incident, and include clearly defined roles and individuals who need to be contacted.
  • Make sure to focus on the immediate aftermath of a breach — the first 48 hours being most critical — and ensure that internal and external communications keep stakeholders apprised as the situation develops.
  • Consider working with a public relations firm to develop consistent messaging that can be efficiently communicated in a crisis.
  • Create an internal response team, including members of management, IT, legal, and public relations that can quickly decide remedial steps and appropriate communication.
  • Consider the company’s overall insurance program and whether cyber risks are covered.
About The Authors

Matt has counseled clients on the evaluation of data privacy risks, responses and solutions, and he serves as a breach coach, providing analysis and advice to address data breach events, including forensics, notification pursuant to federal and state laws, credit monitoring, and public relations issues. In addition to breach response, Matt has counseled insurers on the underwriting of cyber/tech policies.

Tagged with: , , , , , , ,
Posted in Data Breach, Data Security
About Cyber Law Monitor
In the new digital world, individuals and businesses are almost entirely dependent on computer technology and electronic communications to function on a daily basis. Although the power of modern technology is a source of opportunity and inspiration—it also poses huge challenges, from protecting privacy and securing proprietary data to adhering to fast-changing statutory and regulatory requirements. The Cyber Law Monitor blog covers privacy, data security, technology, and cyber space. It tracks major legal and policy developments and provides analysis of current events.
Subscribe For Updates

cyberlawmonitor

Cozen O’Connor Blogs